Are you taking third-party risk seriously enough?

Because third parties are often responsible for data breaches, your internal security standards must extend beyond your borders to cover vendors and other external partners.

SIphotography / Jamie Lawton / Getty Images

What do the exposure of 106 million records from Capital One, 11.9 million records from Quest Diagnostics, and 7.7 million records from LabCorp have in common apart from the fact they all happened this year? In each case the breach was caused by a third party. With the Capital One breach a hacker was able to exploit a configuration vulnerability in the servers of one of its cloud partners. The other two breaches were traced to the same third party – the American Medical Collection Agency’s (AMCA) system.

Data breaches are nothing new. More than 5 billion records were exposed in 2018 alone and third parties were often found to be at fault. The potential cost of a data breach is enormous; even after the breach is cleaned up and the vulnerability shut down, there’s the risk of fines, penalties and settlements which can amount to millions. The reputational damage can linger for years.

With a proper third-party risk management strategy in place you can drastically reduce the chance of a breach happening in the first place and limit the impact on your business if it does.

It’s an expectation not an option

Ignorance is no defense in the event of a data breach. It doesn’t matter if a third party is to blame – if your company is responsible for the data, then you will be held accountable. Regulators in the U.S. and Europe have made it crystal clear that companies are liable for the data they collect and hold, regardless of the network of third parties involved.

Complying with global regulatory requirements is a constantly evolving challenge. It’s important to operationalize data management and security. Start to think of compliance as a journey rather than a destination.

While third-party risk management is especially important in healthcare and finance, where sensitive data and multiple partners are par for the course, this advice also applies to industries from manufacturing to retail to entertainment and beyond. Outsourcing expands your potential attack surface and heightens your exposure to risk and so it must be scrutinized from the start.

Asking the right questions

While you can dig into technical guides like NIST’s CSF and ISO 27001 to help you build solid information security strategies and policies, the best and most obvious way to reduce third-party risk is to limit what you share in the first place. Start with these questions:

Why are you outsourcing this particular service or data?

What precisely is being shared and does it all need to be shared?

Are you doing everything you can to encrypt or anonymize data?

Does the third party in question subcontract to others?

Where are their data centers based?

What kind of contract do you have in place?

What are the provisions in the event of a data breach or a service failure?

A robust incident response plan is vital and it should clearly delineate the process for dealing with a suspected data breach, including who is responsible for what, a realistic timeline for reporting and remediating, and clear lines of communication. It’s alarmingly common for a relatively small incident to snowball into a major disaster because the initial alert was not properly flagged or dealt with in a timely manner.

Regular vendor assessment is crucial

You can’t take it on trust – third parties must be thoroughly vetted and regularly assessed. Proper third-party risk management requires clear documentation covering due diligence, detailed risk assessments, a map of third-party relationships, and clear incident response requirements. You should also be generating performance reports and conducting regular audits.

Everything must be laid out in black and white in a watertight service-level agreement (SLA) to ensure you are fully compliant with regulatory requirements. If the worst should happen, then you will be expected to show regulators your workings. Failure to properly interrogate contracts and third-party practices, or to monitor them on an ongoing basis, will come back to bite you.

The problem with traditional vendor assessments is that they tend to rely on a rating system that gives you an easily digestible score or rank, but an arbitrary number doesn’t tell you enough about your potential exposure or how to deal with it. It’s also fairly common to only conduct reviews annually, but you need real-time rolling visibility if you really want peace of mind.

Acting on the results

One final, vital component in successfully managing third-party risk is acting on the information you gather. It’s all well and good to regularly audit your vendors or even to institute continuous monitoring, but it’s not going to have a positive impact unless your insights are actionable. Each failing must be accompanied by a remediation plan, and the remediation efforts must also be assessed to ensure the problem has been adequately dealt with.

In extreme cases, where remediation has been unsuccessful or vendors repeatedly fail to meet your agreed upon standards, your contract should have provision for you to terminate, without penalty, and find a better partner. If you don’t take third-party risk seriously and ensure that your standards cover data internally and externally, then you are undermining your security efforts and there’s a good chance you’ll end up paying a high price for it.

Michelle Drolet is founder of Towerwall, a small, woman-owned data security services provider in Framingham, MA, with clients such as Smith & Wesson, Middlesex Savings Bank, WGBH, Covenant Healthcare and many mid-size organizations. She can be reached at michelled@towerwall.com.